Add extern to *_main global variable declarations in header files.

[vpp.git] / src / vnet / ipsec / ikev2.c

diff --git a/src/vnet/ipsec/ikev2.c b/src/vnet/ipsec/ikev2.c
index 3f9978a..49bae17 100644 (file)
--- a/src/vnet/ipsec/ikev2.c
+++ b/src/vnet/ipsec/ikev2.c
@@ -17,12 +17,15 @@
 #include <vnet/vnet.h>
 #include <vnet/pg/pg.h>
 #include <vppinfra/error.h>
+#include <vppinfra/random.h>
 #include <vnet/udp/udp.h>
 #include <vnet/ipsec/ipsec.h>
 #include <vnet/ipsec/ikev2.h>
 #include <vnet/ipsec/ikev2_priv.h>
 #include <openssl/sha.h>
 
+ikev2_main_t ikev2_main;
+
 static int ikev2_delete_tunnel_interface (vnet_main_t * vnm,
                                          ikev2_sa_t * sa,
                                          ikev2_child_sa_t * child);
@@ -875,25 +878,26 @@ ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike)
              first_child_sa->i_proposals = ikev2_parse_sa_payload (ikep);
            }
        }
-      else if (payload == IKEV2_PAYLOAD_IDI || payload == IKEV2_PAYLOAD_IDR)   /* 35, 36 */
+      else if (payload == IKEV2_PAYLOAD_IDI)   /* 35 */
        {
          ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep;
 
-         if (sa->is_initiator)
-           {
-             sa->r_id.type = id->id_type;
-             vec_free (sa->r_id.data);
-             vec_add (sa->r_id.data, id->payload, plen - sizeof (*id));
-           }
-         else
-           {
-             sa->i_id.type = id->id_type;
-             vec_free (sa->i_id.data);
-             vec_add (sa->i_id.data, id->payload, plen - sizeof (*id));
-           }
+         sa->i_id.type = id->id_type;
+         vec_free (sa->i_id.data);
+         vec_add (sa->i_id.data, id->payload, plen - sizeof (*id));
 
-         clib_warning ("received payload %s, len %u id_type %u",
-                       (payload == IKEV2_PAYLOAD_IDI ? "IDi" : "IDr"),
+         clib_warning ("received payload IDi, len %u id_type %u",
+                       plen - sizeof (*id), id->id_type);
+       }
+      else if (payload == IKEV2_PAYLOAD_IDR)   /* 36 */
+       {
+         ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep;
+
+         sa->r_id.type = id->id_type;
+         vec_free (sa->r_id.data);
+         vec_add (sa->r_id.data, id->payload, plen - sizeof (*id));
+
+         clib_warning ("received payload IDr len %u id_type %u",
                        plen - sizeof (*id), id->id_type);
        }
       else if (payload == IKEV2_PAYLOAD_AUTH)  /* 39 */
@@ -1594,8 +1598,16 @@ ikev2_create_tunnel_interface (vnet_main_t * vnm, ikev2_sa_t * sa,
        + sa->profile->lifetime;
       if (sa->profile->lifetime_jitter)
        {
+         // This is not much better than rand(3), which Coverity warns
+         // is unsuitable for security applications; random_u32 is
+         // however fast. If this perturbance to the expiration time
+         // needs to use a better RNG then we may need to use something
+         // like /dev/urandom which has significant overhead.
+         u32 rnd = (u32) (vlib_time_now (vnm->vlib_main) * 1e6);
+         rnd = random_u32 (&rnd);
+
          child->time_to_expiration +=
-           1 + (rand () % sa->profile->lifetime_jitter);
+           1 + (rnd % sa->profile->lifetime_jitter);
        }
     }